How enterprise risk management practices impact the Standard & Poor’s rating process.
Terry Pratt is director at the Standard & Poor’s Public Utilities, Power & Project Finance Ratings division.
About a year ago, Standard & Poor’s expanded the methodology used to review and assess the enterprise risk management practices of U.S. energy firms with trading desks. The methodology, known as the PIM framework, focuses on the three aspects of policies, infrastructure, and methodology, and produces a comprehensive evaluation of a firm’s risk management. The importance of each of these aspects in a company’s risk culture, and our opinion of its risk management quality, will depend on that company’s size, complexity, and range of risk.
Strong enterprise risk management is vital to the financial health and creditworthiness of energy companies with trading desks. Energy traders take complex risks every day, so energy companies have to be able to identify risks correctly and have the right tools to measure those risks. If risk-management practices are inadequate or are poorly integrated, the rating can suffer.
Incorporating PIM into the rating process enables rating companies to understand a company’s management better. Analysts now think not just about current risks and control processes, but also about potential and emerging risks, and how those fit into the risk assessment framework.
In PIM, policies incorporate business strategy, risk tolerance, and risk authorities and disclosure. Energy companies with trading desks must have appropriate risk-management tools and policies that are not just consistent with their goals, but are also clearly articulated, well understood, and well communicated throughout the enterprise.
Key elements of that policy should include consistency and linkages between strategy and risk management, clear risk policies, and effective internal and external disclosure of the level and complexity of its risk-taking. In addition, senior management must be engaged in the process, and corporate governance must be engaged through accountability, effective board access, authority, and management reporting.
Processes must be in place to monitor risk authority limits and enforce consequences for exceeding those limits. Disclosure policies must be clear, reporting timely and accurate, and internal operations procedures such as valuation of collateral, knowledge of counterparties, risk limits, and trade reconciliation must be well-documented and well-executed.
The infrastructure aspect focuses on technology, personnel, data, and operations, and the level of firm-wide integration the risk management function has achieved. A firm’s technology need to be commensurate with its risk-management needs. Commodity traders at energy firms routinely take complex risks, so the firms need sophisticated integrated technology to comprehensively and correctly analyze those risks and their impact on the enterprise.
We assess the risk-management staff by evaluating their seniority, education, career paths, and training. We also look at whether their compensation is linked to risk-management goals, and whether the department’s budget is sufficient for its needs.
Transaction sources, market data quality and integrity, and back office staff and operational quality also are examined. We consider back office operations integral, so we assess not just procedures and controls, but the operations staff’s training, education and knowledge as well.
Measuring operational risk is particularly important for good risk management, as the physical component of an energy firm’s trading renders its operational risks considerably different from those financial commodities traders face. PIM’s methodology component assesses how effectively an energy trading firm’s risk management tools test and capture its specific market, credit, and operational risks.
The process determines whether risks are correctly identified, risk factors evaluated periodically, and the metrics used to quantify risk and manage limits well-identified and understood. We look to see if and how companies value at risk (VaR) calculations and stress-testing measures, and how those are harmonized to define risk appetite and set limits. It also assesses how an energy trading firm measures its credit and operational risk by examining which measurement tools are used and why the company believes those tools are good indicators of risk-exposure levels. We also test a firm’s methodologies for worst-case scenario assumptions, to determine if sufficient information is being captured to permit proper risk and exposure mitigation. Models need to be periodically vetted, and the vetting process’ quality assessed. This vetting should include model back-testing.
We also assess whether specific measurement tools are tied to performance. Management must understand and appreciate the risk associated with the models. Good practice would require all model vetting and back-testing to be independent of the profit center. It would also capture the unique risks inherent in energy trading.
We examine an energy trading firm’s ability to attribute economic capital appropriately to the trading operation as well as measure risk-adjusted performance. We also examine how the performance metrics are used to manage the portfolio. Finally, we look for a steady record of compliance with the risk policies.
Down The Road
Like anything else, PIM is a tool. As we ask companies to do with their risk policies, we are constantly vetting and assessing this tool to make sure it provides us with results we can trust, so that the rating we arrive at correctly reflects the trading desk’s level of risk management and reveals how it fits into the rest of the firm.